New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation

(1)

New Methods for Indistinguishability Obfuscation:

Bootstrapping and Instantiation

Shweta Agrawal∗

Abstract

Constructing indistinguishability obfuscation (iO) [BGI+₀₁_{] is a central open question in}

cryptography. We provide new methods to make progress towards this goal. Our contributions may be summarized as follows:

1. Bootstrapping. In a recent work, Lin and Tessaro [LT17] (LT) show that iO may be constructed using i) Functional Encryption (FE) for polynomials of degree L, ii) Pseudorandom Generators (PRG) with blockwise locality L and polynomial expansion, and iii) Learning With Errors (LWE). Since there exist constructions ofFE for quadratic polynomials from standard assumptions on bilinear maps [Lin17, BCFG17], the ideal scenario would be to setL= 2, yielding iOfrom widely believed assumptions.

Unfortunately, it was shown soon after [LV17, BBKK17] that PRGwith block locality 2 and the expansion factor required by the LT construction, concretely Ω(n·2b(3+)_{), where} nis the input length andb is the block length, do not exist. In the worst case, these lower bounds rule out 2-block local PRG with stretch Ω(n·2b(2+)_{). While [}_LV17_, _BBKK17_] provided strong negative evidence for constructingiObased on bilinear maps, they could not rule out the possibility completely; a tantalizing gap has remained. Given the current state of lower bounds, the existence of 2 block localPRGwith expansion factor Ω(n·2b(1+)₎ remains open, although this stretch does not suffice for the LT bootstrapping, and is hence unclear to be relevant foriO.

In this work, we improve the state of affairs as follows.

(a) Weakening requirements on Boolean PRGs: In this work, we show that the narrow window of expansion factors left open by lower boundsdosuffice foriO. We show a new method to constructFEfor NC1 from i)FEfor degreeLpolynomials, ii) PRGs of block localityLand expansion factor ˜Ω(n·2b(1+)_{), and iii)}_LWE_(or _{RLWE). Our} method of bootstrapping is completely different from all known methods and does not go via randomizing polynomials.

This re-opens the possibility of realizing iOfrom2block local PRG,SXDHon Bilinear maps andLWE.

(b) Broadening class of sufficient randomness generators: Our bootstrapping theorem may be instantiated with a broader class of pseudorandom generators than hitherto considered foriO, and may circumvent lower bounds known for the arithmetic degree

∗

(2)

ofiO-sufficientPRGs [LV17,BBKK17]; in particular, these may admit instantiations with arithmetic degree 2, yielding iOwith the additional assumptions of SXDHon Bilinear maps andLWE. In more detail, we may use the following two classes of PRG:

i. Non-Boolean PRGs: We may use pseudorandom generators whose inputs and outputs need not be Boolean but may be integers restricted to a small (polynomial) range. Additionally, the outputs are not required to be pseudorandom but must only satisfy a milder indistinguishability property1_. _{We tentatively propose}

initializing these PRGs using the multivariate quadratic assumption MQwhich has been widely studied in the literature [MI88,Wol05, DY09] and against the general case of which, no efficient attacks are known. We note that our notion of non Boolean PRGs is qualitatively equivalent to the notion of ∆ RGs defined in the concurrent work of Ananth, Jain, Khurana and Sahai [AJKS18] except that ∆ RG are weaker, in that they allow the adversary to win the game with 1/poly probability whereas we require that the adversary only wins with standard negligible probability. By relying on the security amplification theorem of [AJKS18] in a black box way, our construction can also make do with the weaker notion of security considered by [AJKS18].

ii. Correlated Noise Generators: We introduce an even weaker class of pseudorandom generators, which we call correlated noise generators (CNG) which may not only be non-Boolean but are required to satisfy an even milder (seeming) indistinguishability property.

(c) Assumptions and Efficiency. Our bootstrapping theorems can be based on the hardness of the Learning With Errors problem or its ring variant (LWE/RLWE) and can compile FEfor degreeLpolynomials directly toFEfor NC1. Previous work compilesFEfor degreeLpolynomials toFEforNC0toFEforNC1toiO[LV16,Lin17,AS17,GGH+13c]. Our method for bootstrapping toNC1 does not go via randomized encodings as in previous works, which makes it simpler and more efficient than in previous works.

2. Instantiating Primitives. In this work, we provide the first direct candidate of FE for constant degree polynomials from new assumptions on lattices. Our construction is new and does not go via multilinear maps or graded encoding schemes as all previous constructions. In more detail, let F be the class of circuits with depth d and output length `. Then, for any f ∈ F, our scheme achieves Time(KeyGen) = O poly(κ,|f|)

, andTime(Enc) =O(|x| ·2d_·_{poly(κ)) where}_κ_{is the security parameter. This suffices to} instantiate the bootstrapping step above. Our construction is based on the ring learning with errors assumption (RLWE) as well as new untested assumptions on NTRU rings.

We provide a detailed security analysis and discuss why previously known attacks in the context of multilinear maps, especially zeroizing attacks and annihilation attacks, do not appear to apply to our setting. We caution that the assumptions underlying our construction must be subject to rigorous cryptanalysis before any confidence can be gained in their security. However, their significant departure from known multilinear map based constructions make them, we feel, a potentially fruitful new direction to explore. Additionally, being based entirely on lattices, we believe that security against classical attacks will likely imply security against quantum attacks. Note that this feature is not enjoyed by instantiations that make any use of bilinear maps even if secure instances of

(3)

weak PRGs, as defined by the present work, the follow-up by Lin and Matt [LM18] and the independent work by Ananth, Jain, Khurana and Sahai [AJKS18] are found.

1 Introduction

Indistinguishability Obfuscation. Program obfuscation aims to make a program “unintelligible” while preserving its functionality. Indistinguishability obfuscation [BGI+₀₁_{] (}_iO_{) is a flavour of}

obfuscation, which converts a circuit C to an obfuscated circuitO(C) such that any two circuits that have the same size and compute the same function are indistinguishable to a computationally bounded adversary.

While it is non-obvious at first glance what this notion is useful for, recent work has demonstrated the tremendous power of iO. iO can be used to construct almost any cryptographic object that one may desire – ranging (non-exhaustively) from classical primitives such as one way functions [KMN+14], trapdoor permutations [BPW16], public key encryption [SW14] to deinable encryption [SW14], fully homomorphic encryption [CLTV15], functional encryption [GGH+13c], succinct garbling schemes [CHJV15,BGL+15,KLW15,LPST16] and many more.

The breakthrough work of Garg et al. [GGH+13c] presented the first candidate construction ofiO

from the beautiful machinery of graded encoding schemes [GGH13a]. This work heralded substantial research effort towards understandingiO: from cryptanalysis to new constructions to understanding and weakening underlying assumptions to applications. On the cryptanalysis front, unfortunately, all known candidate graded encoding schemes [GGH13a, CLT13, GGH15] as well as several candidates of iO have been broken [CHL+15,CGH+15,HJ15,CJL,CFL+,MSZ16,CLLT16,ADGM16]. Given the power of iO, a central question in cryptography is to construct iO from better understood hardness assumptions.

Functional Encryption. Functional encryption (FE) [SW05,SW] is a generalization of public key encryption in which secret keys correspond to programs rather than users. In more detail, a secret key embeds inside it a circuit, sayf, so that given a secret keySKf and ciphertextCTx encrypting a messagex, the user may run the decryption procedure to learn the valuef(x). Security of the system guarantees that nothing beyondf(x) can be learned fromCTxandSKf. Recent years have witnessed significant progress towards constructing functional encryption for advanced functionalities, even from standard assumptions [BF01, Coc01, BW06, BW07, GPV08, CHKP10, ABB10, GPSW06, BSW07, KSW08, LOS+10, AFV11, Wat12, GVW13, GGH+13d, GGH+13c, GVW15]. However, most constructions supporting general functionalities severely restrict the attacker in the security game: she must request only a bounded number of keys [GVW12,AR17, GKP+13], or may request unbounded number of keys but from a restricted space2 [GVW15,Agr17]. Schemes that may be proven secure against a general adversary are restricted to compute linear or quadratic functions [ABCP15,ALS16,Lin17,BCFG17].

Constructing iO from FE. Recent work [AJ15, BV15, AJS15] provided an approach for constructingiO via FE. While we do not have any candidate constructions for FEthat satisfy the security and efficiency requirements for constructingiO (except constructions that themselves rely on graded encoding schemes oriO [GGH+13c,GGHZ14]),FEis a primitive that is closer to what cryptographers know to construct and bringsiO nearer the realm of reachable cryptography.

An elegant sequence of works [Lin16,LV16, Lin17,AS17, LT17] has attempted to shrink the functionality of FEthat suffices foriO, and construct FE for this minimal functionality from graded

(6)

encoding schemes or multilinear maps. Concretely, the question is: what is the smallest Lsuch that

FE supporting polynomials of degree L suffices for constructingiO? At a high level, these works follow a two step approach described below:

1. Bootstrapping FE to iO.The so called “bootstrapping” theorems have shown that general purpose iO can be built from one of the following: i) sub-exponentially secure FE for NC1

[AJ15,BV15,AJS15,BNPW16], or ii) sub-exponentially secureFE for NC0 and PRGinNC0

[LV16] iii)PRGs with locality L andFE for computing degree L polynomials [Lin17] or iv)

PRGs withblockwise locality Land FE for computing degreeL polynomials [LT17].

At a high level, all bootstrapping theorems make use of randomized encodings [IK00,AIK06] to reduce computation of a polynomial sized circuit to computation of low degree polynomials.

2. Instantiating Primitives. ConstructFE supporting degreeL polynomials based on graded encodings or multilinear maps [LV16,Lin17].

1.1 Bootstrapping, the Ideal.

Since we have candidates of FEfor quadratic polynomials from standard assumptions on bilinear maps [Lin17,BCFG17], a dream along this line of work would be to reduce the degree required to be supported by FE all the way down to 2, yieldingiO, from bilinear maps and other widely believed assumptions (likeLWE andPRGwith constant locality). The recent work of Lin and Tessaro [LT17] (LT) came closest to achieving this, by leveraging a new notion ofPRG they termedblockwise local

PRG. APRGhas blockwise localityLand block-sizeb, if when viewing the input seed as a matrix of

brows and ncolumns, every output bit depends on input bits in at most L columns. As mentioned above, they showed that PRGs with blockwise locality Land certain polynomial stretch, along with

FE for computing degreeL polynomials and LWE suffice foriO.

Unfortunately, it was shown soon after [LV17, BBKK17] that PRG with block locality 2 and the stretch required by the LT construction, concretely Ω(n·2b(3+)), do not exist. In the worst case, these lower bounds rule out 2-block local PRGwith stretch Ω(n·2b(2+)). On the other hand, these works suggest that 3 block local PRGare likely to exist, thus shrinking theiO-sufficient degree requirement on FEto 3.

(7)

Stretch Worst case versus Random

Predicate

Worst case versus Random

Graph

Different versus Same Predicate per output bit

Reference

˜

Ω(n·2b(1+)) Random Random Different [BBKK17]

˜

Ω(n·2b(2+)) Worst Case Worst Case Different [BBKK17]

˜

Ω(n·2b(1+)) Worst Case Worst Case Same [LV17]

˜

Ω(n·2b(1+)) Worst Case Worst Case Different Open

As we see in the above table, the existence of 2 block local PRGwith carefully chosen graph and predicates with stretch ˜Ω(n·2b(1+)) is open. However, even in the case that these exist, it is not clear whether its even useful, since the Lin-Tessaro compiler requires larger stretch Ω(n·2b(3+)), which is ruled out by row 2 above. In the current version of their paper, [LT17] remark that “Strictly speaking, our results leave a narrow window of expansion factors open where block-wise PRGs could exist, but we are not aware whether our approach could be modified to use such low-stretch PRGs.”

Bootstrapping: Our Results. In this work, we show that the narrow window of expansion factors left open by lower bounds do suffice for iO. Moreover, we define a larger class of pseudorandomness generators than those considered so far, which may admit lower degree instantiations. We then show that these generators with the same expansion suffice for iO. We discuss each of these contributions below.

Weakening requirements on PRGs: We show a new method to constructFE forNC1 fromFE

for degree L polynomials, sub-exponentially securePRGs of block localityL andLWE (orRLWE). Since FEforNC1 impliesiO forP/Poly [AJ15,BV15,BNPW16], this suffices for bootstrapping all the way toiO forP/Poly. Our transformation requires the PRG to only have expansionn·2b(1+) which is not ruled out as discussed above. This re-opens the possibility of realizing 2 block local

PRGwith our desired expansion factor (see below for a detailed discussion), which would imply iO

from 2 block local PRG,SXDHon Bilinear maps and LWE. A summary of the state of art in PRG

based bootstrapping is provided in Figure 1.1.

Broadening class of sufficient PRGs: Our bootstrapping theorem may be instantiated with a broader class of pseudorandom generators than hitherto considered for iO, and may circumvent lower bounds known for the arithmetic degree ofiO-sufficientPRGs [LV17, BBKK17]; in particular, these may admit instantiations with arithmetic degree 2, yielding iO along with the additional assumptions ofSXDH on Bilinear maps and LWE. In more detail, we may use the following two classes of PRG:

1. Non-Boolean PRGs: We may use pseudorandom generators whose inputs and outputs need

not be Boolean but may be integers restricted to a small (polynomial) range. Additionally, the outputs are not required to be pseudorandom but must only satisfy a milder indistinguishability property3_{. We tentatively propose initializing these PRGs using the multivariate quadratic}

assumption MQ which has been widely studied in the literature [MI88,Wol05, DY09] and against the general case of which, no efficient attacks are known.

3

(8)

2. Correlated Noise Generators: We introduce an even weaker class of pseudorandom generators, which we call correlated noise generators (CNG) which may not only be non-Boolean but are required to satisfy an even milder (seeming) indistinguishability property.

Assumptions and Efficiency. Our bootstrapping theorems can be based on the hardness of

LWE or its ring variant RLWEand compiles FE for degree L polynomials directly to FE for NC1.

Our method for bootstrapping toNC1 does not go via randomized encodings as in previous works. Saving the transformation to randomized encodings makes bootstrapping toNC1 more efficient than in previous works. For instance, [LT17] requireQ PRGseeds, whereQis the (polynomial) length of random tapes needed by the randomized encodings. On the other hand we only need 2PRGseeds, since we avoid using randomized encodings, yielding a ciphertext that is shorter by a factor ofQ, as well as (significantly) simpler pre-processing.

L block-local PRG FE for deg L poly FE for NC0

FE for NC1 iO for P/Poly

Uses randomized polys [AIK11, LV16]

[LT17, Lin17, AS17] [AJ15, BV15, BNPW16]

Need PRG with expansion Ω(n 2b(3+ε)_), LV17, BBKK17 rule out 2 block local PRG with expansion Ω(n 2b(2+ε)_).

Instantiable for L=2 assuming SXDH on bilinear maps [Lin17,BCFG17]

L block-local PRG FE for deg L poly FE for NC1

iO for P/Poly

This. New proof technique not using randomizing polys.

[AJ15, BV15, BNPW16]

Need PRG with expansion Ω(n 2b(1+ε)_), NOT ruled out for L=2 by LV17, BBKK17 in worst case

Instantiable for L=2 assuming SXDH on bilinear maps [Lin17, BCFG17]

Lin-Tessaro, Crypto 17 This Work

Figure 1.1: State of the Art in Bootstrapping FE toiO. In the present work, we may bootstrap directly to FEforNC1 without going throughNC0.

1.2 Instantiation: the Ideal.

To instantiate iO via FE for constant degree polynomials, [LT17] rely on the FE for degree L

polynomials constructed by Lin [Lin17], which relies on SXDH on noiseless algebraic multilinear maps of degreeL, for which no candidates of degree greater than 2 are known to exist. As discussed by [Lin17], instantiating her construction with noisy multilinear maps causes the proof to fail, in addition to the SXDH assumption itself being false on existing noisy multilinear map candidates. We refer the reader to [LT17,Lin17] for a detailed discussion.

(9)

at least 34, on which theSXDHassumption is believed to hold. At the moment, we have no evidence that such objects exist. Another ideal instantiation would be to provide a direct construction of FE

for constant degree polynomials from well understood hardness assumptions, satisfying the requisite compactness properties for implication to iO. Constructing FE from well-understood hardness assumptions has received significant attention in recent years, and for the moment we do not have any constructions that suffice for iOexcepting those that themselves rely on multilinear maps or iO.

Thus, at present, all concrete instantiations of theFEtoiOcompiler must go via noisy multilinear maps on whichSXDH fails.

Instantiation: Our Results. In our work, we take a different approach to the question of instantiation. We propose to construct FE directly, without going through multilinear maps or graded encoding schemes, and use this FEto instantiate the transformation to iO. We believe this new approach has the following advantages:

1. May be Simpler: Construction ofiO-sufficientFEmight not need the full power of asymmetric multilinear maps, sinceFE is not known to imply asymmetric multilinear maps equipped with

SXDH to the best of our knowledge5. Hence, constructing FEdirectly may be simpler.

2. Yield new and possibly more robust assumptions: Attempts to construct FEdirectly for low degree polynomials yield new hardness assumptions which are likely different from current assumptions on noisy multilinear maps. This direction may yield more resilient candidates than those that go via multilinear maps.

In this work, we provide the first direct candidate of symmetric key FE for constant degree polynomials from new assumptions on lattices. Let F be the class of circuits with depth d and output length`. Then, for anyf ∈ F, our scheme achieves Time(KeyGen) =O poly(κ,|f|)

, and

Time(Enc) =O(|x| ·2d·poly(κ)) where κ is the security parameter. This suffices to instantiate the bootstrapping step above. Our construction is based on the ring learning with errors assumption (RLWE) as well as new untested assumptions on NTRU rings. We provide a detailed security analysis with necessary and sufficient conditions for security. In particular, we provide a proof based on a new assumption in a simplified variant of our scheme; we view this as a first step to provable security. Please see Section 8 for details. The assumptions underlying our construction must be subject to rigorous cryptanalysis before any confidence can be gained in their security. However, even if our particular attempt proves insecure, we believe there is significant value in taking this route and hope it inspires other candidates.

1.3 Our Techniques: Bootstrapping

In this section, we assume familiarity of the reader with RLWEand Regev’s public key encryption scheme [Reg09,GPV08]. Please see Section2 for a refresher. Although our bootstrapping can also be based on standard LWE, we describe it using RLWEhere since it is simpler.

4

Ideally degree 5, so as to remove the reliance on even blockwise localPRGand rely directly on 5 localPRGwhich are better understood.

5

A line of work can traverse the route ofFEtoiOtoPiO(probabilisticiO) tosymmetricmultilinear maps (see [FHHL18] and references therein) using multiple complex subexponential reductions, still not yieldingasymmetric

(10)

Ciphertext and Public Key Evaluation by [AR17]. The starting point of our work is the bounded collusionFE constructed recently by Agrawal and Rosen [AR17]. In this work, the authors design a new encryption algorithm and a new ciphertext evaluation algorithm EvalCT so that the

decryptor, given the encoding of some inputx and some (arithmetic) circuitf ∈NC1 can execute EvalCT to compute a functional ciphertext that encodes f(x),obliviouslyof x.

In more detail, if CT₍_f₍_x₎₎ = EvalCT( ∪

i∈[d]

Ci_{, f}_{) where} _d _{is the depth of the circuit and} _∪ i∈[d]

Ci

is a set of encodings provided by the encryptor, then the functional ciphertext has the following structure:

CT(f(x))=hLinf, Cdi+Polyf(C1, . . . ,Cd−1)

for some f-dependent linear function Linf and polynomial Polyf. Here, Linf and Polyf may be computed by a corresponding public key evaluation algorithm, denoted by EvalPK, given only the

public key and function f. Moreover, upon decryptingCT(f(x)), we get

f(x) +noisef(x)=hLinf, Mdi+Polyf(C1, . . . ,Cd−1) (1.1) whereMd _{is the message vector encoded in level}_d_encodings_Cd_{. Here,} _f₍_x₎_∈_R

p0 for some ring Rp0 andnoisef(x) is a noise term which may be modded out using standard techniques to recover f(x) as desired.

Given the above algorithms, an approach to compute f(x) is to leverage functional encryption for linear functions [ABCP15, ALS16], denoted by LinFE. Recall the functionality of LinFE: the encryptor provides a ciphertext CTz for some vectorz∈Rn, the key generator provides a keySKv for some vector v∈Rn and the decryptor learns hz,vi ∈R. Thus, we may use LinFEto enable the decryptor to compute hLinf, Mdi, let the decryptor computePolyf(C1, . . . ,Cd−1) herself to recover

f(x) +noisef(x).

Unfortunately, this approach is insecure as is, as discussed in [AR17]. For bounded collusion

FE, the authors achieve security by having the encryptor encode a fresh, large noise term noisefld

for each requested keyf which “floods” noisef(x). This noise is forcibly added to the decryption

equation so that the decryptor recoversf(x) +noise_f₍_x₎+noisefld, which by design is statistically

indistinguishable fromf(x) +noisefld. [AR17] show that with this modification the scheme can be

shown to achieve strong simulation style security, by relying just on security of LinFE. However, encoding a fresh noise term per key causes the ciphertext size to grow at least linearly with the number of function keys requested, or in the case of single keyFE, with the output length of the function. Note that to suffice for iO, we are required to construct this scheme with ciphertext size sublinear in the output length of the function, say ` [AJ15,BV15]. Thus, the ciphertext size of [AR17] violates the efficiency required from an FE scheme to be sufficient foriO.

(11)

vectorv∈Rn, the decryptor recovershz, vi+noisez,v wherenoisez,v is specific to the message and function being evaluated.

Let f ∈ NC1 and let the output of f be of size `. Let f1, . . . , f` be the functions that output the ith bit of f for i∈[`]. At a high level, our FE forNC1 will enable the decryptor to compute hLinfi, M

d_i₊_noise

fldi as in [AR17] but instead of having the encryptor encode`noise terms during encryption, we use NLinFEto add noise termsnoisefldi into the decryption equation. In more detail, the encryptor must provide encodings ∪

i∈[d−1]C

i _{as well as an}_NLinFE_{encryption of the level}_d_message

encodingsMd_{(please see Equation}_1.1_{). The key generator provides an}_NLinFE_{key for}_Lin

f so that the decryptor may computePoly_f_i(C1_{, . . . ,}_Cd−1_{) +}_h_Lin

fi, M

d_i₊_noise

fldi as desired.

Noisy linear functional encryption provides the right abstraction (in our opinion) for the smallest functionality that may be bootstrapped to FE for NC1 using our methods. NLinFE captures the

precise requirements on noise that is required for the security of the construction and integrates seamlessly with our new proof technique. Moreover, NLinFEmay be constructed in different ways from different assumptions – we provide three constructions from various assumptions (more on this below), and properties such as ciphertext size and collusion resistance achieved by NLinFEare inherited by FEforNC1. Please see Sections4 and Section6for details.

We remark that our construction crucially uses a powerful property of the ciphertext evaluation algorithm of [AR17], namely that computing a linear function on secret values plus a noise term suffices, along with additional public computation, to compute a function in NC1. This is because

the deep computation is performed on the public encodings asPoly_f(C1_{, . . . ,}_Cd−1_{) and constrained}

decryption is only required for a much shallower function. In this work we show that by assuming indistinguishabilitybased security NLinFE, we may proveindistinguishabilitybased security of FE

forNC1.

Constructing NLinFE. Next, we discuss three methods to construct NLinFEwhich implyFE for

NC1 from various assumptions. Together with the bootstrapping of NLinFEtoFE forNC1 described

above, this suffices for applying the FEtoiOcompiler of [AJ15,BV15].

Our first method makes use of a compact FE scheme which is powerful enough to compute

PRG/blockwise local PRG [LT17]. Let PrgFE be a functional encryption scheme that supports evaluation of a PRGwith polynomial stretch. Then, we may construct NLinFE and hence FEfor

NC1 by leveragingPrgFE to compute the the noise to be added byNLinFEas the output of a PRG. In more detail, by the discussion above, we would like the decryptor to compute:

f(x) +noise_f₍_x₎+noisefld =hLinf, Mdi+noisefld+Polyf(C1, . . . ,Cd−1)

wherenoisef(x)+noisefld is statistically indistinguishable fromnoisefld. Say that the norm ofnoisef(x)

may be bounded above by value Bnse. Then, it suffices to sample a uniformly distributed noise term

noisefld of norm bounded by Bfld, where Bfld is superpolynomially larger than Bnse for the above

indistinguishability to hold. We will usePrgFE to computenoisefld.

In more detail, let Gbe a PRG with polynomial stretch which outputs`uniform ring elements of norm bounded byBfld, and letGi be the function that selects theith output symbol ofG, namely

Gi(seed) =G(seed)[i] whereseed is the seed of thePRG. Then,

1. The encryptor may providePrgFE encryptions of (Md_,_seed_{) along with encodings} _∪ i∈[d−1]C

(12)

2. The key generator may provide a PrgFE secret key for polynomialPi(z1,z2) =hLinfi, z1i+

Gi(z2)

3. The decryptor may computehLinfi, M

d_i₊_G_i(_seed_{) as well as} _Poly

f(C1, . . . ,Cd−1), to recover

f(x) +noisef(x)+Gi(seed) by Equation1.1as desired.

It is crucial to note that the degree of the polynomial Pi is equal to the degree required to compute

Gi, because Linfi is a linear function. Moreover, the degree is unchanged even if we make use of a standardPRGwith binary range. To see this, take a binaryPRGthat requires degreeL to compute, and apply the standard (linear) powers of two transformation to convert binary output to larger alphabet. For a more in-depth discussion, please see Section 7.

Thus, an FEscheme that supports polynomials of degree L, where Lis the degree required to compute a PRG, suffices to constructNLinFEand henceFE for NC1. Moreover, we may pre-process the seed of thePRGas in [LT17] to leverage “blockwise locality”; our construction allows thePRG

to have smaller expansion factor than that required by the Lin-Tessaro construction, as discussed next.

Analyzing the Expansion Factor of the PRG. Above, the polynomial Pi we are required to

construct must compute a function that is degree 1 in the PRG output plus an additional linear function of the encoded messages. By comparison, the underlying degreeLFE in [LV16,Lin17,LT17] must natively compute a polynomial which has degree 3 in output of a PRG. In more detail, the

FE of [Lin17, LT17] must compute a randomizing polynomial [AIK11], which contains terms of the form rirjrk where ri, rj, rk are random elements, each computed using a PRG. Thus, ifL is the locality of the PRG, the total degree of the polynomial is 3L, which is reduced to L using a clever precomputing trick developed by Lin [Lin17]. In contrast, ourFEmust compute a polynomial of the form hLinf, Mdi+PRG(seed) as discussed above, thus natively yielding a polynomial of degree L.

Further, Lin and Tessaro [LT17] construct a method to leverage the blockwise localityL of the

PRG, which is believed to be smaller than locality as discussed above. Recall that the PRGseed is now a matrix of b rows andn columns, and each output bit depends on input bits in at most

L columns. Then, to begin, [LT17] suggest computing all possible monomials in any block, for all blocks, resulting inO(n·2b) total monomials. At this point, the output of aPRG can be computed using a degreeL polynomial. However, since the final polynomial has degree 3 in the PRGoutputs, LT further suggest precomputing all degree 3 products of the monomials constructed so far, leading to a total of O(n·23b) terms. To maintain ciphertext compactness then, the expansion of the PRG

must be at least Ω(n·2b(3+)). We refer the reader to [BBKK17, Appendix B] for an excellent overview of the LT construction, and to [LT17] for complete details.

Since the polynomial in our FE must compute has degree only 1 rather than 3 in PRGoutput, we need not compute degree 3 products inO(n·2b) monomials as required by [LT17], thus requiring to encode a total number of O(n·2b) monomials. Hence, to maintain ciphertext compactness (which is necessary for implication toiO [AJ15, BV15]), the expansion of thePRGin our case must be Ω(n·2b(1+)). Thus, our transformation requires a lower expansion factor than that of [LT17]. Moreover, by sidestepping the need to compute randomized encodings, our bootstrapping becomes simpler and more efficient than that of [LV16, Lin17, LT17]. Please see Section 7.2.1 for more details.

(13)

the noise that must be added to decryption byNLinFE, reveals that using a PRGto compute the noise is wasteful; a weaker object appears to suffice. Specifically, we observe that the noise terms

noisefi(x)fori∈[`], which must be flooded are low entropy, correlated random variables, constructed as polynomials inO(L) noise terms whereL=| ∪

k∈[d]

C_k|. APRG mimics`i.i.d noise terms where

` > L, i.e. O(`) bits of entropy, whereas the random variables that must be flooded have onlyO(L) bits of entropy.

Indeed, even to flood ` functions on L noise terms statistically, only L fresh noise terms are needed. For instance, let us say that we are required to flood (fi(µ))i∈[`] for µ∈ RL. Then, it

suffices to choose β∈RL such that βis superpolynomially larger than µto conclude that

SDβ, β+µ= negl(κ)

This implies that

SD f1(β), . . . , f`(β)

, f1(β+µ), . . . , f`(β+µ)

= negl(κ)

Considering that we must only generateO(L) bits of pseudoentropy, can we make do with something weaker than a PRG?

To make this question precise, we define the notion of a correlated noise generator, denoted by CNG. ACNG captures computational flooding of correlated noise, to mimic statistical flooding described above. In more detail, we will use aCNGto generate flooding termsg1(β), . . . , g`(β) such that to any computationally bounded adversary Adv, it holds that

g1(β), . . . , g`(β)

c

≈ (g1(β) +f1(µ), . . . g`(β) +f`(µ)

Note that if we denote by gi the function for computing theithelement of the PRGoutput, then by choosing the range ofPRGsuperpolynomially larger than |fi(µ)|, the above condition is satisfied. Thus, a PRGimplies a CNG. However, implication in the other direction does not hold, sinceCNG

only generates strictly fewer bits of pseudoentropy than aPRG.

Moreover, matters are even nicer in the case of CNG, becausegi can be chosen after seeing fi, and the distribution ofµis known at the time of choosing gi. So eachgi can be different depending on what it needs to “swallow”. Additionally, we may leverage the fact that a CNGposits that a distribution must be indistinguishable fromitself plus a fixed function, not indistinguishable from uniform.

Our hope is that since a CNGappears weaker than a PRG, it may sidestep the lower bounds known for the blockwise-locality of polynomial stretch PRGs, thereby providing a new route toiO

from bilinear maps. Suggesting candidates for CNG that have lower degree than PRG is outside the scope of this work but we believe it is useful to identify the weakest object that suffices for bootstrapping to iO. For the precise definition ofCNG, please see Section5.

(14)

our case, the PRG output need not be binary since we do not require these as input to randomized encodings. Additionally, they must satisfy a much weaker property than indistinguishability to uniform i.i.d random variables as discussed above. In more detail, say we can bound |fi(µ)| ≤

for i∈[`]. Then we require the PRG outputGi(β) to computationally flood fi(µ) for i∈[`], i.e.

Gi(β) +fi(µ) must be computationally indistinguishable fromGi(β).

We note that the above notion of non Boolean PRGs is qualitatively equivalent to the notion of ∆RGs defined in the concurrent work of Ananth et al. [AJKS18] except that ∆RG are weaker, in that they allow the adversary to win the game with 1/poly probability whereas we require that the adversary only wins with standard negligible probability. By relying on the security amplification theorem of [AJKS18] in a black box way, our construction can also make do with the weaker notion of security considered by [AJKS18].

We conjecture that degree 2 polynomials over Z may be used to compute Gi(β) via the

multivariate quadratic MQ assumption. At a high level, the MQ assumption states that given

` multivariate quadratic polynomials pi(x) in n variables x = (x1, . . . , xn), where ` > n, over a finite field F, it is infeasible to recoverx for appropriate values of`, nand choice of polynomialspi.

The MQ assumption has been studied extensively [MI88,BFP09,BFSS13,BFS03,Wol05,DY09, YDH+15,WP05,TW10,AHKI+17] and has formed the basis of several cryptosystems, please see [DY09] for a survey. MQ is known to be NP complete in the worst case, and the general method to solveMQ involves computing Gr¨obner bases, which are notoriously hard to compute [Wol05]. We remark that a significant effort in design ofMQ based cryptosystems stems from embedding hidden trapdoors in systems of equations, something that is unnecessary in our setting. Hence, using MQ

to designPRGwith non-Boolean output appears significantly simpler than using it to design public key encryption, which has been the focus of much past research. Please see Section 5 for more discussion. We conjecture that randomly chosen polynomials with coefficients super-polynomially larger thansuffice for the aforementioned flooding. We leave further analysis of such randomness generators to future work.

1.4 Related Work: Bootstrapping

In this section, we provide a detailed comparison with works that are most closely related to ours.

Predicate encryption [GVW15, Agr17, BTVW17] and reusable garbled circuits [GTKP+13, Agr17]. A successful approach to constructing functional encryption schemes from standard assumptions is the predicate encryption scheme by Gorbunov et al. [GVW15] and its extensions [Agr17,BTVW17]. Roughly speaking, these schemes make use of an attribute based encryption (ABE) scheme for circuits [GVW13,BGG+14] in conjunction with a fully homomorphic encryption scheme to achieve a system where the input xis hidden only as long as the adversary’s key requests obey a certain “one sided” restriction w.r.t the challenge messages. In more detail, security holds as long as the adversary does not obtain keysSKf for any circuitf such thatf(x) = 0. Given an adversary who obeys this “one sided” restriction, functionality is general, i.e. the adversary may request for a key corresponding to any polynomial sized circuit. However, in the general “two sided” security game, the schemes are shown to be insecure [GVW15,Agr17]. The reusable garbled schemes of [GTKP+13,Agr17] satisfy general two sided security but do not achieve compact ciphertext required for bootstrapping to iO.

(15)

different. While [GVW15, GKP+13] also use FHE in order to hide the attributes in an FE scheme, the building block of ABE necessitates the restriction of one sided security due to the basic structure of ciphertexts and secret keys. As discussed in [Agr17], if the predicate encryption scheme [GVW15] is subject to a general two sided adversary, the adversary may requests keys for related functions which can lead to the recovery of a secret lattice basis, leading to a complete break in security. We emphasize that this attack exploits the structure of the secret keys and ciphertext in the underlying ABE scheme and is in distinct from the attack implied by the leakage of the FHE noise learnt by the attacker upon decryption – indeed, the follow-up work of [BTVW17] shows how to construct predicate encryption that does not contain the FHE noise leakage. Thus, despite supporting powerful functionality, current techniques for generalizing ABE to FE get stuck in the quicksand of one sided security.

To overcome this challenge, we insist on a two sided adversary at any cost to functionality. We follow the approach of [AR17] which starts with the modest functionality of linear functional encryption [ABCP15,ALS16] satisfying two sided security, and makes use of special properties of the FHE scheme of Brakerski and Vaikuntanathan [BV11b] to decompose function computation into a “deep” public computation performed using FHE and a “shallow” (linear) private computation, performed using linear FE [ABCP15,ALS16]. The public FHE computation is performed by the decryptor outside any FE scheme, namely, without any guarantee of constrained decryption. This is in contrast to [GVW15, Agr17, BTVW17] where the entire function evaluation is performed within the confines of the ABE evaluation, which constrains decryption of the final FHE ciphertext and renders futile any attempts to tamper with the functionality. However, in [AR17] the only constrained decryption is via the modest functionality of linear FE but the authors argue that constraining a linear function suffices to constrain computation in NC1, at the cost of non-compact ciphertext.

In the present work, to achieve security as well as succinct ciphertext, we look at the mildest possible strengthening of this functionality, namely one that supports computation of linear functions plus a noise term which satisfies a relatively mild statistical property, as formalized via the notion of noisy linear functional encryption (NLinFE). We then show that this notion of NLinFEmay be bootstrapped all the way to iO.

Comparison with [AR17]. Even though the present work uses the ciphertext and public key evaluation algorithms developed by Agrawal and Rosen [AR17], our construction of FE for

NC1 and particularly our proof technique are quite different. Firstly, [AR17] is in the bounded collusion setting with non-compact ciphertext, and achieves a simulation based security which is known to be impossible in our setting where compact ciphertext is crucial. Hence, we must give an indistinguishability style proof which is significantly harder, and requires using a new proof technique developed in this work. Moreover, [AR17] adds statistical large flooding noise which is oblivious of the distribution of noise it needs to drown, whereas we will analyze and leverage the distribution carefully. Most importantly, [AR17] can make do with linear FE whereas we crucially need noisy linearFE6. Finally, we give many instantiations ofNLinFEusing bilinear maps and weak randomness generators as well as directly using new assumptions.

6

(16)

Independent and concurrent work. In an independent and concurrent work, Ananth, Jain, Khurana and Sahai [AJKS18] also provide an approach to constructiO without multilinear maps. They rely on (subexponentially-secure) bilinear maps, LWE, block-locality 3 PRGs, and a new type of randomness generator, which they call perturbation resilient generator, denoted as ∆RG. Their techniques and overall construction are extremely different from ours. However, we find it very interesting that both works intersect in identifying a very similar new type of PRG as sufficing to fill the gap between assumptions we believe and iO. Their notion of ∆RG is almost exactly the same as the non-Boolean PRG that (is one of the types of PRGs) we identify – both notions require the generation of some noise N such that N is indistinguishable from N +e for some bounded e. However, they only require a weak form of indistinguishability, namely the adversary is allowed to distinguish between N and N +e with 1/poly probability in their case, whereas we require standard negligible distinguishing probability. They also provide a generic security amplification theorem, which transforms FE forNC1 which satisfies this weak indistinguishability to FE with standard indistinguishability. Their security amplification theorem can be used black box in our construction to also rely on ∆RG (or the weaker notion of CNG) with similar weak indistinguishability. We may also use their security amplification theorem to weaken the requirement on the underlying quadratic FE scheme so that it can be instantiated using existing constructions [Lin17,BCFG17]. In more detail, we use quadratic FE to compute a noise term which must be natively superpolynomial in size to argue security. However, existing constructions of quadratic functional encryption schemes [Lin17,BCFG17] perform decryption “brute force”, by computing a discrete logarithm in the end, restricting the space of decryptable values to be polynomial in size. To align with known constructions of quadratic FE, we choose our flooding noise to be polynomial in size – this overcomes the above issue but results in 1/poly advantage to the adversary. This advantage can be made negligible by leveraging the security amplification theorem of [AJKS18] in a black box manner. For more details, please see Section7.

Aside from significantly different techniques, the final results obtained by the two works are also different. First, we define the abstraction of noisy linear FE, and bootstrap this to iO. The instantiation of noisy linear FE using bilinear maps and ∆RG is only one of the ways of achieving

iO; we also define an even weaker type of PRG, namely correlated noise generators (denoted by

CNG, please see Section5) which suffices foriO. On the other hand, their security requirement from their randomness generators is significantly weaker – they only require 1/poly security as discussed above. Moreover, they provide a general security amplification theorem which we do not. The details of the techniques in the two works are vastly different: [AJKS18] define and instantiate the notion of tempered cubic encodings which do not have any analogue in our work. Also, we provide a direct construction ofNLinFEfrom new lattice assumptions (Section 8). We believe this opens a new approach to constructing iOfrom different assumptions, which may be especially relevant in the post quantum regime. In the bilinear maps instantiation, we rely on the SXDHassumption on bilinear maps, whereas they argue security in the generic bilinear map model. Finally, they require block-locality 3 PRGs whereas we do not.

(17)

of the public seed can be emulated by sampling a function from a family. We refer the reader to [LM18] for a detailed discussion.

Follow-up work. In a follow-up work7, Lin and Matt [LM18] leverage our techniques to provide a different construction ofiOfrom bilinear maps, LWEand weak pseudorandom objects, which they term Pseudo Flawed-smudging Generators (PFG). The high level structure of their construction is very similar to ours: they also use special properties of the FHE scheme of Brakerski and Vaikuntanathan [BV11b] to split the functional computation into a deep public computation and a shallow private computation, the former being done by the decryptor in the clear, and the latter being performed in the exponent of a bilinear group using quadratic operations. To argue security, they must, similarly to us, perform noise flooding in the exponent. The main difference from our work is that the choice of noise in our setting is natively super-polynomial as discussed above, whereas [LM18] can make do with polynomial noise via their notion of Pseudo Flawed-smudging Generators (PFG). PFGs guarantee that flooding with polynomial sized noise hides the input at all except a few locations. They construct “weak and leaky” FE for degree 3 polynomials using bilinear maps, LWE and PFGs, which they further amplify to full fledged FE for NC1 using threshold

multi-key FHE. Their security analysis is also quite different from ours and relies on the robustness of LWE as well as the specific properties of PFG. We observe that PFG and ∆RG are incomparable and refer the reader to [LM18] for a detailed comparison.

We remark that in contrast to the present work, [LM18] construct FE for NC0 and then rely on randomized encodings to bootstrap this to FE for NC1, as in prior work [LV16,Lin17, LT17].

On the other hand, we use techniques from [BV11b] in a non blackbox way to bootstrap all the way to NC1 directly. Both works suggest using the multivariate quadratic assumption to instantiate the (different) weak PRGs they need, but while our suggestion is preliminary, [LM18] back up their suggestion with a concrete candidate and extensive security analysis.

1.5 Our Techniques: Direct Construction of NLinFE

Next, we provide a direct construction of NLinFE based on new (untested) assumptions that strengthen ring learning with errors (RLWE) andNTRU. Our construction is quite different from known constructions and does not rely on multilinear maps or graded encoding schemes.

As discussed above, flooding correlated noise terms appears qualitatively easier than generating uniform pseudorandom variables. Recall that`is the output length of the function andLis sublinear in`. In this section, we discuss a method to provideL encodings of a seed vector βin a way that the decryptor can compute `encodings of{gi(β)}_i∈[`] on the fly. The careful reader may suspect

that we are going in circles: if we could compute encodings ofgi(β) on the fly, could we not just compute encodings offi(x) on the fly?

We resolve this circularity by arguing that the demands placed on noise in lattice based constructions are significantly weaker than the demands placed on messages. In particular, while computation on messages must maintain integrity, noise need only create some perturbation, the exact value of this perturbation is not important. Therefore if, in our attempt to compute an encoding

gi(β), we instead compute an encoding of g0i(β

0_{), this still suffices for functionality. Intuitively}_g0

i(β

0₎

will be a polynomial equation of β designed to floodfi(µ).

(18)

In order to constructFEthat supports the computation of noisy linear equations, we begin with an

FEthat supports computation of linear equations, denoted byLinFE, provided by [ABCP15,ALS16]. All our constructions use the blueprint provided in [ALS16] to support linear equations, and develop new techniques to add noise. In order to interface with theLinFE construction of [ALS16], we are required to provide encodings of noise terms β such that:

1. Given encodings of β and gi the decryptor may herself compute on these to construct an encoding ofgi(β).

2. The functional encoding of gi(β) must have the formhg,i·s+noiseg,i+gi(β) where hg,i is computable by the key generator given only the public/secret key and the function value. In particular, hg,i should not depend on the ciphertext.

In order to compute efficiently on encodings of noise, we introduce a strengthening of the RLWE

andNTRUassumptions. Let R=Z[x]/hxn+ 1i andRp1 =R/(p1·R), Rp2 =R/(p2·R) for some

primesp1< p2. Then, the following assumptions are necessary (but not sufficient) for security of

our scheme:

1. We assume that the NTRU assumption holds even if multiple samples have the same

denominator. This assumption has been discussed by Peikert [Pei16, 4.4.4], denoted as theNTRU learning problemand is considered a reasonable assumption. In more detail, for

i∈ {1, . . . , w}, sample f1i, f2i and g1, g2 from a discrete Gaussian over ringR. If g1, g2 are

not invertible overRp2, resample. Set

h1i =

f1i

g1

, h2i=

f2i

g2

∈Rp2

We assume that the samples {h1i, h2j}for i, j∈[w] are indistinguishable from random. Note thatNTRUrequires the denominator to be chosen afresh for each sample, i.e. h1i (resp. h2i) should be constructed using denominator g1i (resp. g2i), fori∈[w].

2. We assume that RLWE with small secrets remains secure if the noise terms in RLWE samples live in some secret ideal. In more detail, for i∈[w], letDb(Λ₂),Db(Λ₁) be discrete Gaussian

distributions over lattices Λ2 and Λ1 respectively. Then, sample

e1i ←Db(Λ₂), where Λ₂ ,g₂·R. Let e₁_i=g₂·ξ₁_i∈small, e2i ←Db(Λ₁), where Λ₁ ,g₁·R. Let e₂_i=g₁·ξ₂_i∈small,

Above, small is a place-holder term that implies the norm of the relevant element can be bounded well below the modulus size, p2/5, say. We use it for intuition when the precise

bound on the norm is not important. Hence, for i, j∈[w], it holds that:

h1i·e2j =f1i·ξ2j, h2j·e1i =f2j·ξ1i ∈ small Now, sample small secretst1, t2 and for i∈[w], compute

(19)

We assume that the elements d1i, d2j fori, j∈[w] are pseudorandom. The powerful property that this assumption provides is that the product of the samplesd1i·d2j do not suffer from large cross terms for anyi, j∈[w] – since the error of one sample is chosen to annihilate with the large element of the other sample, the product yields a well behavedRLWEsample whose label is a product of the original labels. In more detail,

d1i·d2j = h1i·h2j

·(t2 t2) +p1·noise

wherenoise=p1· f1i·ξ2j·t1+f2j·ξ1i·t2+p1·g1·g2·ξ1i·ξ2j

∈small

If we treat each d1i, d2j as an RLWE sample, then we may use these samples to encode noise terms so that direct multiplication of samples is well behaved. Note that the noise terms we wish to compute on, are the messages encoded by the “RLWEsample” d1i, henced1i must contain two kinds of noise: the noise required for RLWEsecurity and the noise that behaves as the encoded message. This requires some care, but can be achieved by nesting these noise terms in different ideals as:

d1i =h1i·t1+p1·˜e1i+p0·e1i ∈Rp2 d2i =h2i·t2+p1·˜e2i+p0·e2i ∈Rp2

Here, (p1·e˜1i, p1·e˜2i) behave as RLWEnoise and (p0·e1i, p0·e2i) behave as the encoded messages.

Both ˜e1i, e1i as well as ˜e2i, e2i are chosen from special ideals as before. Now, we may compute quadratic polynomials on the encodings “on-the-fly” as P

i,j

d1id2j to obtain a structured-noiseRLWE sample whose label is computable by the key generator. If we treat this dynamically generated encoding as anRLWE encoding of correlated noise, then we can use this to add noise to theNLinFE

decryption equation by generalizing techniques from [ALS16]. The decryptor can, using all the machinery developed so far, recoverfi(x) +noisef(x)+noisefldi wherenoisefldi is constructed as a quadratic polynomial of noise terms that live in special ideals. Indeed, there is no need to stop at quadratic polynomials – we can compute any constant degree polynomial, see Section 8 for details. Again, we remind the reader that setting noisefldi =PRGi(seed) would make the scheme provably secure, so an approach is to choose the bounded degree polynomial to be computed as PRGi.

Mixing Ideals. While it suffices for functionality to choose the correlated noise term as a polynomial evaluated on noise living in special ideals, the question of security is more worrisome. By using the new “on-the-fly” encodings of noise, the decryptor recovers noise which lives in special, secret ideals, and learning these ideals would compromise security. In more detail, the noise term we constructed above is a random linear combination of terms (g1·g2), {f1i}i,{f2j}j, which must be kept secret for semantic security ofd1i, d2j to hold. Indeed, if we over-simplify and assume that the attacker can recover noise terms that live in the ideal generated byg1·g2, then recoveringg1·g2

from these terms becomes an instance of the principal ideal problem[Gen09,CDPR16].

While the principal ideal problem has itself resisted efficient classical algorithms so far, things in our setting can be made significantly better by breaking the ideal structure using additional tricks. We describe these next.

1. Mixing ideals. Instead of computing a single set of pairs h1i, d1i

, h2i, d2i

, we now

(20)

for i∈ {1, . . . , w},j ∈ {1, . . . , k}, wherew, k are fixed polynomials independent of function output length `, and set

hj₁_i = f j

1i

g₁j, h

j

2i=

f₂j_i gj₂ ∈Rp2

The encoding of a noise term constructed corresponding to the (i, j)th _{monomial is} _d ii0 =

P

j∈[k]

d1id2i0. Thus, the resultant noise term that gets added to the decryption equation looks like:

p0· "

X

j∈[k]

gj₂·g₁j·p0·(ξj1i·ξ j

2i0)

+f₁j_i·ξ₂j_i0·t1+f₂j_i0·ξ`₁_i·t2

!#

(1.2)

Thus, by adding together noise terms from multiple ideals, we “spread” it out over the entire ring rather than restricting it to a single secret ideal. Also, we note that it is only the higher degree noise terms that must live in special ideals; if the polynomial contains linear terms, these may be chosen from the whole ring without any restrictions. In more detail, above, we computed a noise term corresponding to a quadratic monomial which required multiplying and summing encodings. If we modify the above quadratic polynomial to include a linear term, we will need to add a degree 1 encoding into the above equation. The degree 1 encoding which does not participate in products, may encode noise that is chosen without any restrictions, further randomizing the resultant noise.

2. Adding noise generated collectively by ciphertext and key. Aside from computing polynomials over structured noise terms encoded in the ciphertext, we suggest an additional trick which forces noise terms into the decryption equation. These noise terms are quadratic polynomials where each monomial is constructed jointly by the encryptor and the key generator. This trick relies on the structure of the key and ciphertext in our construction. We describe the relevant aspects of the key and ciphertext here, for details please see Section8. The key for functionfi is a short vectorksuch that:

hw, ki=ufi

where w is part of the master secret, and ufi is computed by the key generator using the

EvalPK function. The encryptor provides an encoding

c=w·s+p1·noise0

As part of decryption, the decryptor computeshk,cito obtainufi·s+p1·hk, noise0i. Moreover by runningEvalCT(C1, . . . ,Cd), she also obtainsufi ·s+f(x) +p0·noise+p1·noise

0 _(please

see Appendix Efor details). Subtracting these and reducing modulo p1 and then modulop0

yieldsf(x) as desired.

Intuitively, the structured noise computed above is part of the noise in the sample computed byEvalCT, i.e. part of p0·noise+p1·noise0

(21)

We modify KeyGenso that instead of choosing a single k, it now chooses a pair (k1,k2) such that:

hw, k1i=ufi+p0·∆

1₊_p 1·∆˜1

hw, k2i=ufi+p0·∆

2₊_p 1·∆˜2

Here, ∆1_{, ∆}2_{, ˜}_∆1_{, ˜}_∆2 _{are discrete Gaussians sampled by the key generator}_{unique to the key}

for fi. Additionally, the encryptor splits c as:

c01=w·s1+p1·ν1 c02=w·s2+p1·ν2

where s1+s2 =sand s1, s2 are small, then,

hk1, c01i+hk2, c02i=ufi·s+p0· ∆

1_·_s

1+ ∆2·s2

+p1· ∆˜1·s1+ ˜∆2·s2

+p1·noise

Thus, we forced the quadratic polynomialp0· ∆1·s1+ ∆2·s2

+p1· ∆˜1·s1+ ˜∆2·s2

into the noise, where ∆1,∆2 and ˜∆1,∆˜2 are chosen by the key generator for the particular key request and the termss1 and s2 are chosen by the encryptor unique to that ciphertext. Note

that wcan be hidden from the view of the adversary since it is not required for decryption, hence the adversary may not computehw, k1i, hw, k2i in the clear. For more details, please see Section 8.

1.6 Related Work: Instantiation

To the best of our knowledge, all prior work constructing FE for degree L ≥ 3 polynomials rely on either iO itself [GGH+13c] or multilinear maps [GGHZ16] or bilinear maps and weak pseudorandomness [AS17, Lin17,LT17] as discussed above. Since our direct construction also makes use of NTRU lattice assumptions, we discuss here some high level differences between multilinear map based approaches and our approach.

Let us describe the main ideas behind the multilinear map construction of [GGH13b]. Our description follows the summary of [LSS14]. Similarly to us, the authors consider the polynomial ringsR =Z[x]/hxn+ 1i andRq =R/qR. They generate a small secretg∈R and setI =hgi to be the principal ideal overR generated by g. Next, they sample a uniformz∈Rq which stays secret. The “plaintext” is an element ofR/I, and is encoded via a division byz inRq: to encode a coset of R/I, give element [c/z]q where c is an arbitrary small coset representative. Sinceg is hidden, the authors provide another public parameter y, which is an encoding of 1 and the encoding of the coset is chosen as [e·y]q where eis a small coset representative. At leveli6= 1, the encoding has the form c/zi]q.

The encodings are additively and multiplicatively homomorphic, and for testing whether an element in the last levelD(say) encodes 0, the authors provide a “zero test parameter”pzt =hzDg−1 mod q where h is an element of norm approximately √q. The parameters are set so that if an element encodes 0, its product with this parameter is “small” otherwise it is “large”.

(22)

level encoding, perform an algebraic computation on the results of the zero testing so as to obtain an element in the idealhgi. Once an element inhgi is obtained, different attacks work in different ways, but in the “weak multilinear map model” [GMM+16], being able to recover an element in hgi is considered a successful attack. Thus, the unique element g must crucially be kept secret.

In our work, decryption of the FE scheme also results in a high degree polynomial containing secret elementsf1ig1, f2ig2 for i∈[poly] along with fresh random elements per ciphertext. However,

unlike the multilinear map template where there is a single secret g, there are a polynomial number of secret elements that play (what appears to us) qualitatively the same role as g in our construction. Moreover, these are “spread out” in the recovered polynomial which makes obtaining any term isolating any one secret element via algebraic manipulations see improbable. Additionally, annihilation attacks [MSZ16] crucially make use of the fact that the unstructured elements that are unique to every encoding arelinear, which assists in the computation of the annihilation polynomial. In contrast, unstructured elements in our recovered polynomial that are unique to the encoding are high degree and seem much harder to annihilate.

Our construction ofNLinFEappears much simpler in design than the construction of multilinear map based obfuscators, we refer the reader to [MSZ16, PM18] for a clean description of an abstract obfuscator. Unlike current candidate obfuscators, we do not need to use straddling sets for handling mixed input attacks, eliminating a vulnerability recently exploited by [PM18]. This is because mixed input attacks seem very hard to launch in our construction, since we do not use branching programs and all parts of a given input are tied together using an LWE secret (albeit with a non-standard LWE assumption). Moreover, the function keys in our FE construction have a different structure than the ciphertext and do not seem amenable to mix and match attacks. Finally, if we assume for a moment that the weak LWE problem used above does not leak anything, then the adversary is left with a high degree polynomial in many fixed secrets as well as many fresh random variables. The only requirement from this polynomial is that it must mimic noise which satisfies some mild statistical properties, as captured by the notion ofCNG. Since PRGs are conjectured to exist with low degree computation, andCNGare even weaker, explicitly permitting certain kinds of correlation, it seems quite plausible that the mixed-ideal high-degree polynomial that the adversary sees does fulfil this mild requirement. Nevertheless, serious cryptanalysis effort is required on our construction before confidence can be gained in its security.

1.7 Putting it together.

Put together, an overview of our transformation is provided in Figure1.2.

1.8 Organization of the paper

In Section2we provide the definitions and preliminaries we require. In Section3we define the notion of noisy linear functional encryption NLinFE. In Section4we provide our warm-up construction of QuadraticFE from Noisy Linear FE andPRG. In Section5 we define the notion of correlated noise generatorsCNGand non-BooleanPRGthat we require. In Section6, we provide our full construction ofFE for NC1 using NLinFE, RLWEandCNG. In Section 7we provide our bootstrapping theorems,

(23)

Figure 1.2: Overview of our transformation. Above, FH refers to function hiding.

10.

2 Preliminaries

In this section, we define the preliminaries we require for our constructions. We begin with defining the notation that we will use throughout the paper.

Notation. We say a function f(n) isnegligible if it isO(n−c_{) for all}_{c >}_{0, and we use negl(}_n₎ to denote a negligible function ofn. We say f(n) is polynomialif it is O(nc) for some c >0, and we use poly(n) to denote a polynomial function ofn. We say an event occurs withoverwhelming probability if its probability is 1−negl(n). The function logx is the base 2 logarithm of x. The notationbxe denotes the nearest integer tox, rounding towards 0 for half-integers.

Throughout the writeup, we use the termnoiseas a place-holder forRLWEnoise when its precise value is not important. Similarly we use the termsmallas a place holder that implies the norm of the relevant element (β (say) when we have β ∈small), can be bounded well below the modulus size,modulus/5, say. We use it for intuition when the precise bound on the norm is not important.

2.1 Pseudorandom Generators

Definition 2.1 (Pseudorandom Generator (PRG)). A function G : {0,1}n _{→ {}₀_,₁_}m _{is a} pseudorandom generator (PRG) if it has the following properties:

(24)

2. For any probabilistic polynomial time adversaryAdv, it holds that

Pr

β←{0,1}n 1←Adv(G(β)

− Pr

r←{0,1}m 1←Adv(r)

= negl(κ)

Here, β is called theseedof the PRGG, andm−n is called thestretchof the PRG. In this paper, we focus on the polynomial stretch regime, namely wherem=O(nc) for some constant

c >1. IfGis computable inNC0, then we define thelocality ofGto be the maximum number

of input elements on which any output element ofG depends.

Lin and Tessaro [LT17] defined the notion ofblockwise localityas follows.

Definition 2.2 (Blockwise Locality[LT17]). Let n, m, Landbbe polynomials. We say an (n, b, m)

PRGhas blockwise locality Lif the input of the PRGmay be viewed as a matrix withb rows andn

columns, and each output bit of the PRGdepends on input bits that are contained in at mostL of

bcolumns.

2.2 Indistinguishability Obfuscation

A uniform P.P.T machine iOis an indistinguishability obfuscator for a class of circuits{C_κ}_κ∈_N, if

the following conditions are satisfied:

1. Correctness. For all security parametersκ∈_N, for anyC∈ Cκ and every input xfrom the domain of C, we have that:

PrC0 ←iO(1κ, C) :C0(x) =C(x)= 1 where the probability is taken over the coin-tosses of the obfuscatoriO.

2. Indistinguishability of Equivalent Circuits. For every ensemble of pairs of circuits {C0,κ, C1,κ}κ∈N, andC0,κ(x) =C1,κ(x) for everyx, we have that the following ensembles of

pairs of distributions are indistinguishable to any P.P.TAdv:

n

C0,κ, C1,κ,iO(1κ, C0,κ)

o _c

≈nC0,κ, C1,κ,iO(1κ, C1,κ)

o

2.3 Functional Encryption

Let X ={Xκ}κ∈_N andY ={Yκ}κ∈_N denote ensembles where each Xκ and Yκ is a finite set. Let C=Cκ _κ_∈

N denote an ensemble where eachCκ is a finite collection of circuits, and each circuit g∈ C_κ takes as input a stringx∈ X_κ and outputs g(x)∈ Y_κ.

A functional encryption scheme FEfor C consists of four algorithmsFE= (FE.Setup,FE.Keygen, FE.Enc,FE.Dec) defined as follows.

• FE.Setup(1κ) is a p.p.t. algorithm takes as input the unary representation of the security parameter and outputs the master public and secret keys (PK,MSK).

(25)

• FE.Enc(PK, x) is a p.p.t. algorithm that takes as input the master public keyPKand an input message x∈ X_κ and outputs a ciphertext CT.

• FE.Dec(SKg,CTx) is a deterministic algorithm that takes as input the secret keySKg and a ciphertext CTx and outputs g(x).

Definition 2.3 (Correctness). A functional encryption scheme FE is correct if for all g∈ Cκ and all x∈ Xκ,

Pr

₍_PK_,_MSK₎←_FE_._Setup₍₁κ_);

FE.Dec

FE.Keygen(MSK, g),FE.Enc(PK, x)

6

=g(x)

= negl(κ)

where the probability is taken over the coins ofFE.Setup,FE.Keygen, and FE.Enc.

Security. In this paper we will consider the standard indistinguishability based definition.

Definition 2.4. A functional encryption schemeFEfor a function familyCis secure in the adaptive indistinguishability game, denoted asINDsecure, if for all probabilistic polynomial-time adversaries

Adv, the advantage ofAdvin the following experiment is negligible in the security parameterκ:

1. Public Key. Challenger Chreturns PKtoAdv.

2. Pre-Challenge Key Queries. Adv may adaptively request keys for any functions

g1, . . . , g`0 ∈ C. In response,Adv is given the corresponding keys SK_g i.

3. Challenge. Adv outputs the challenges (x0,x1) ∈ X to the challenger, subject to the

restriction that gi(x0) =gi(x1) for all i∈[`0]. The challenger chooses a random bitb, and

returns the ciphertextCTxb.

4. Post-Challenge Key Queries. The adversary may continue to request keys for additional functions gi, subject to the restriction that gi(x0) = gi(x1) for all i ∈ {`0+ 1, . . . , `}. In

response, Advis given the corresponding keys SKgi.

5. Guess. Adv outputs a bitb0, and succeeds if b0=b.

Theadvantage ofAdv is the absolute value of the difference between its success probability and 1/2. In theselective game, the adversary must announce the challenge in the first step, before receiving the public key. Note that without loss of generality, in the selective game, the challenge ciphertext can be returned along with the public key. In thesemi-adaptive game, the adversary must announce the challenge after seeing the public key but before making any key requests.

We also define a very restricted notion of security, calledFull-Selsecurity, in which the adversary must announce both the challenge messages and key requests in the very beginning of the game, before seeing even the public key. This notion of security is sufficient for building iOfrom FE (see for instance [LT17, Sec 2.5.1]).

New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation

New Methods for Indistinguishability Obfuscation:

Bootstrapping and Instantiation

Contents

1

Introduction

2

Preliminaries